scott-varadise opened a new issue, #35282:
URL: https://github.com/apache/superset/issues/35282
### Bug description
## **Description**
Apache Superset throws an AttributeError when using guest token
authentication. The GuestUser class is missing the required `active` attribute
that Flask-AppBuilder's security manager expects.
## **Error Message**
AttributeError: 'GuestUser' object has no attribute 'active'
## **Stack Trace**
File
"/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/decorators.py",
line 106, in wraps
if current_app.appbuilder.sm.has_access(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/manager.py",
line 1591, in has_access
if current_user.is_authenticated and current_user.active:
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'GuestUser' object has no attribute 'active'
## **Steps to Reproduce**
1. Configure Superset with guest token authentication
2. Create a guest token for dashboard access
3. Access dashboard API endpoint: `GET /api/v1/dashboard/{id}`
4. Error occurs when Flask-AppBuilder security manager checks
`current_user.active`
## **Expected Behavior**
Guest users should be able to access permitted dashboards without
AttributeError, with the security manager properly checking user permissions.
## **Actual Behavior**
The application crashes with a 500 error because the `GuestUser` class lacks
the `active` attribute required by Flask-AppBuilder's permission system.
## **Environment**
- **Superset Version**: [Specify your version]
- **Python Version**: 3.11
- **Flask-AppBuilder**: [Check your version]
- **Deployment**: Docker container
- **Authentication**: Guest token authentication
## **Suggested Fix**
The `GuestUser` class should include the required Flask-AppBuilder
attributes:
- `active = True`
- `is_authenticated` property
- `is_anonymous` property
## **Additional Context**
This appears to be a compatibility issue between Superset's guest
authentication implementation and Flask-AppBuilder's security manager
expectations. The error specifically occurs at line 1591 in Flask-AppBuilder's
manager.py when checking user permissions.
## **Workaround**
Manually add the missing attributes to the GuestUser class implementation in
the security manager configuration.
### Screenshots/recordings
_No response_
### Superset version
master / latest-dev
### Python version
3.9
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
